4

I'm building an AngularJS application that will interact with RESTful services running on a different host. Since requests are going across origins, CORS is getting into the picture. Since requests specify JSON as expected content type, CORS preflight requests are triggered by the browser. Straightforward so far.

According to W3 spec, CORS preflight requests should exclude user credentials. The RESTful web services application is protected by SiteMinder, which is configured to enforce authentication based on URL. Web services depend on SiteMinder for authentication and handle authorization only. That's why SiteMinder cannot be removed. As a result, CORS preflight requests come back with HTTP 401 Authorization Required. It prevents browser from moving forward with the actual request.

Any ideas about how to enable CORS preflight requests in a SiteMinder protected environment? Thanks a lot in advance!

jubedus
  • 55
  • 1
  • 5

1 Answers1

1

You can try to ignore OPTIONS method by setting autoauthorizeoptions = yes in ACO parameters for the agent

++++++++++++++++++++++++++++ Allow Automatic Access to Resources that use the OPTIONS Method The SiteMinder Web Agent still challenges authenticated users who attempt to access resources that use the OPTIONS method. Some examples of resources that use the OPTIONS method include (but are not necessarily limited to) the following:

Microsoft® Word documents Microsoft® Excel® spreadsheet documents This challenge occurs because the application associated with the resource sends a request using the OPTIONS method to the web server. Because this request does not include a SiteMinder cookie, the Web Agent issues a challenge.

To prevent users from being challenged for these resources

Set the value of the following parameter to yes: autoauthorizeoptions Automatically authorizes any requests for resources which use the HTTP OPTIONS method.

If you set the value of this parameter to yes, also set the value of the PersistentCookies parameter to no.

Limits: yes, no

Set the value of the PersistentCookies parameter to no.

++++++++++++++++++++++++

jubedus
  • 55
  • 1
  • 5
  • 2
    I have the config just like you mentioned, but still I am receiving CORS error. preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin – Bhargav Jul 17 '18 at 03:14